Recently, the security team of BaishanCloud had noticed the latest remote code execution vulnerabilities in Spring Framework.
What is Spring Framework?
Spring Framework, a basic open-source framework in Spring, is mainly used for enterprise development for JavaEE. As this framework is widely used, vulnerabilities therein are extremely severe. Baishan Cloud Shield timely detects the vulnerability status and automatically updates the protection rules to remind Spring Framework users to perform self-check, and take appropriate security measures as soon as possible.
Vulnerability Description of Spring Framework
Due to the defects in the historical vulnerability repair code of Spring Framework, in JDK 9 and later releases, remote attackers can construct data packets to modify log files for remote code execution with the help of some middleware. This affects all releases of Spring Framework and the products that reference Spring Framework.
Vulnerability Name: Spring Framework remote code execution vulnerability
- CVE no.: Not available
- Risk level: Critical
- Technique type: Code injection
- Threat type: Code execution
- EXP or POC link: Not available
Verification Method for Spring Framework
This vulnerability can be identified by meeting both of the following conditions:
JDK release >= 9. & Spring Framework or a derivative framework is used.
(1) Check JDK release number:
Execute the “java -version” command to check the running JDK version, if the release is below or equal to 8, then the vulnerability is not affected.
(2) Check the usage of Spring Framework:
If the business system project is deployed in the form of war package or runs directly as a jar package independently, the steps below should be followed for judgment:
- Change the suffix of the package file to zip, then extract the zip file.
- Search the unzip directory to see if there is a jar file in spring-beans-*.jar format (for example, spring-beans-5.3.16.jar). If yes, it means that the business system uses the Spring Framework.
- If the spring-beans-*.jar file does not exist, then search whether the CachedintrospectionResults.class file exists in the unzip directory. If it exists, it means that the business system uses the Spring Framework.
Repair Solution
No new version has been officially released yet. Nevertheless, the following temporary solutions can be used for protection:
1) If users build their WAF protection, filter the rules of strings such as “class.*Class.***.class.***Class.*”, and test the business operation after deploying the filtering rules to avoid additional impact. If you are using Baishan Cloud Shield WAF, you can ignore this step.
2) Search @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called. If this code fragment is introduced, add {“class.*”,”Class.*”,”*.class.*”,”*.Class.*”} to the original blacklist. Note: If this code fragment is used frequently, append it at each place.
3) Create a new global class under the project package of the application system and ensure that this class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After the class is added, it is necessary to recompile and package the project and verify the functionality and re-publish the project.
Protection by BaishanCloud Shield
- Both the Baishan Cloud Shield WAF protection system and BaishanCloud application trusted access (BaishanCloud Access) can effectively protect against this vulnerability.
- Domain names that are not connected are recommended to be onboarded to our network for protection against relevant vulnerabilities.
- For connected domain names, just keep the intercept mode for WAF protection mode.
Based on the Zero Trust concept, BaishanCloud Access assumes that there are always vulnerabilities in the system and focuses on whether trusted users perform trusted actions after entering the enterprise network. So BaishanCloud Access can theoretically prevent almost all 0day and Nday vulnerabilities. Moreover, BaishanCloud Access’s Zero Trust access and Baishan Cloud Shield platform are naturally and seamlessly integrated, and can be overlaid with WAF features with just one click for double protection.
The security protection capability of Baishan Cloud Shield is fully demonstrated by the detection and defense of remote code execution vulnerabilities in Spring Framework.
